Database Activity Monitoring may not carry the same burden of hype as Data Loss Prevention, but it is one of the most significant data and application security tools on the market. With an estimated market size of $40M last year, and predictions of $60M to $80M this year, it rivals DLP in spending. Database Activity Monitoring also carries the best DAM acronym in the industry

Sorry, couldn’t help myself.

DAM is an adolescent technology with significant security and compliance benefits. The market is currently dominated by startups but we’ve seen large vendors starting to enter the space, although products are not currently as competitive as those from smaller vendors. Database Activity Monitoring tools are also sometimes called Database Auditing and Compliance, or various versions of Database Security.

There’s a reason I’ve picked DAM as the second technology in my Understanding and Selecting series. I believe that DLP and DAM form the lynchpins of two major evolving data security stacks. DLP, as it migrates to CMF and CMP, will be the center of the content security stack; focused on classifying and protecting structured and unstructured content as it’s created and used. It’s more focused on protecting data after it’s moved outside of databases and major enterprise applications. DAM will combine with application firewalls as the center of the applications and database security stack, providing activity monitoring and enforcement within databases and applications. One protects content in a structured application and database stack (DAM) and the other protects data as it moves out of this context onto workstations and storage, into documents, and into communications channels (CMP).

Defining DAM

Database Activity Monitors capture and record, at a minimum, all Structured Query Language (SQL) activity in real time or near real time, including database administrator activity, across multiple database platforms, and can generate alerts on policy violations. While a number of tools can monitor various level of database activity, Database Activity Monitors are distinguished by five features:

  1. The ability to independently monitor and audit all database activity, including administrator activity and SELECT transactions. Tools can record all SQL transactions: DML, DDL, DCL, (and sometimes TCL) activity.
  2. The ability to store this activity securely outside of the database.
  3. The ability to aggregate and correlate activity from multiple, heterogeneous Database Management Systems (DBMS). Tools can work with multiple DBMS (e.g., Oracle, Microsoft, IBM) and normalize transactions from different DBMS despite differences in their flavors of SQL.
  4. The ability to enforce separation of duties on database administrators. Auditing activity must include monitoring of DBA activity, and solutions should prevent DBA manipulation of and tampering with logs and activity records.
  5. The ability to generate alerts on policy violations. Tools don’t just record activity, they provide real-time monitoring and rule-based alerting. For example, you might create a rule that generates an alert every time a DBA performs a SELECT query on a credit card column that returns more than 5 results.

Other tools provide some level of database monitoring, including Security Information and Event Management (SIEM), log management, and database management, but DAM products are distinguished by their ability to capture and parse all SQL in real time or near real time and monitor DBA activity.

Depending on the underlying platform, a key benefit of most DAM tools is the ability to perform this auditing without relying on local database logging, which often comes with a large performance cost. All the major tools also offer other features beyond simple monitoring and alerting, ranging from vulnerability assessment to change management.

Market Drivers

DAM tools are extremely flexible and often deployed for what may appear to be totally unrelated reasons. Deployments are typically driven by one of three drivers:

  1. Auditing for compliance. One of the biggest boosts to the DAM market has been increasing auditor requirements to record database activity for SOX (Sarbanes-Oxley) compliance. Some enterprises are required to record all database activity for SOX, and DAM tools can do this with less overhead than alternative approaches.
  2. As a compensating control for compliance. We are seeing greater use of DAM tools as a compensating control to meet compliance requirements even though database auditing itself isn’t the specified control. The most common example is using DAM as an alternative to encrypting credit card numbers for PCI compliance.
  3. As a security control. DAM tools offer significant security benefits and can sometimes even be deployed in a blocking mode. They are particularly helpful in detecting and preventing data breaches for web facing databases and applications, or to protect sensitive internal databases through detection of unusual activity.

DAM tools are also beginning to expand into other areas of database and application security, as we’ll cover in a future post. Today, SOX compliance is the single biggest market driver, followed by PCI. Despite impressive capabilities, internally-driven security projects are a distant third motivation for DAM deployments.

Use Cases

Since Database Activity Monitoring is so versatile, here are a few examples of how it can be used:

  1. To enforce separation of duties on database administrators for SOX compliance by monitoring all their activity and generating SOX-specific reports for audits.
  2. If an application typically queries a database for credit card numbers, a DAM tool can generate an alert if the application requests more card numbers than a defined threshold (often a threshold of “1”). This can indicate that the application has been compromised via SQL injection or some other attack.
  3. To ensure that a service account only accesses a database from a defined source IP, and only runs a narrow range of pre-approved queries. This can alert on compromise of a service either a) from the system that normally uses it, or b) if the account credentials are stolen and used from another system.
  4. For PCI compliance you can encrypt the database files or media where they’re stored, then use DAM to audit and alert on access to the credit card field. The encryption protects against physical theft, while the DAM protects against insider abuse and certain forms of external attack.
  5. As a change and configuration management tool. Some DAM tools offer this as a specialized feature with closed-loop integration with change management tools to track approved database changes implemented in SQL. Other tools can use this to track administrator accounts and provide change management reports for manual reconciliation.

In our next post we’ll cover the various technical architectures, including the big debate between agents and network sniffers, and follow with future posts covering major features to look for and how to run a selection process.